The incident of 3.2 million debit cards being blocked by Indian lenders has sent jitters across the banking community.

The banking sector globally is now encountering an increasing number of online frauds.

The concern is growing among bankers and customers on the threats posed by cyber criminals. With the rise in the volume of funds transmitted via electronic channels, the sector is facing new challenges as unscrupulous elements have started devising ingenious methods to siphon money sitting in countries outside India.

The latest incident of 3.2 million debit cards being blocked or recalled by Indian banks has sent jitters across the banking community. While the data breach took place between May and July, the fraud was discovered only in September and banks then decided to proactively change cards. In fact, days before demitting office in September, the then RBI Governor had indicated that there have been a spate of frauds (through vishing and phishing) in some segments of payment services.

According to AP Hota, National Payment Corporation of India (NPCI), the genesis of the latest problem was receipt of complaints from some banks that their customers’ cards were used fraudulently mainly in China and the US while customers were in India. NPCI and other payment providers identified the security breach and the possible card numbers which could have been compromised during that period. These cards were then either blocked or recalled.

The banking sector globally is now encountering an increasing number of online frauds. At the start of the year, Bangladesh Bank was the target and an attempt was made to steal $1 billion and ultimately the attackers successfully got away with $81 million. Recently, in India too, a similar attempt was made on a commercial bank by generating fraudulent payment instructions on the Nostro accounts and transmitting them over SWIFT messaging system. Though a monetary loss was prevented, thanks to proactive follow-up with the concerned paying / intermediary banks, the incident reinforces the fact that various stakeholders may not have learnt the lessons yet.

RBI Deputy Governor SS Mundra, who highlighted online frauds in a recent lecture, said the RBI has also come across instances of fraudulent messages confirming documentary credits being transmitted using SWIFT infrastructure. In another incident involving shared mobile wallet of a bank, vulnerabilities were observed in the application itself which led to exploitation by the attackers. The originator of the transfer could get the amount reversed back to him without corresponding debit in the recipient’s account in a large number of transactions (total amount involved was around Rs 12 crore). The bank was not performing any real time reconciliation and noticed it only when there was a spike in transactions which led to detection during reconciliation. The vulnerabilities exploited in the incident could have been averted, had the launch of the product not been rushed through, the RBI said.

An e-payment validation website of a large bank was hacked. Surprisingly, the bank was not aware of the incident till it was notified by a law enforcement agency. There was a Facebook post by a person from a neighbouring country claiming responsibility for the operation. Though the hacking incident did not result in any pecuniary loss as the site attacked was only performing validations of inputs entered by end users, nevertheless it demonstrates a serious security breach, the RBI said. Cyber incidents are increasingly shifting towards targeting of financial institutions instead of end users.

Modus operandi

Skimming is common these days. This is a more technical mode of duping and the cardholder can hardly do anything about it as the miscreants plant a small skimming device in the debit card slot of the ATM machine and it can read the magnetic tape information of the card when the card goes through the skimming device. With the copied magnetic information, the defrauder can reproduce a duplicate card (on any plastic card) to be used later to withdraw cash. In order to access the PIN, the fraudster also installs a small camera at the ATM kiosk that can capture the ATM pin when it is entered by the cardholder.

Another form of ATM-related fraud that has come to banks’ notice is card swapping. When a customer visits a merchant establishment, a restaurant or a petrol station and uses his/her debit card for transaction, the attendant (fraudster) notes down the ATM PIN when it is keyed in by the customer. Later, while returning the card to the customer, the attendant swaps the customer’s card with a dummy card that is identical to the customer’s card. Since the customer is unaware of the swapping, he secures the dummy card whereas the fraudster gets both the card and the PIN which he uses to withdraw cash till the card is blocked by the customer.

Experts say that the fraudsters keep several dummy cards of various banks and depending upon the card provided by the customer for the transaction, they pull out a similar card and hand it over to the customer. Since most customers don’t check if the returned card is theirs or not, the fraudsters are successful in cheating the customer.

Fraudsters also use the keypad jamming method to steal money. The risk department of the banks have termed it so because the modus operandi of defrauder involves jamming both the ‘Enter’ and ‘Cancel’ buttons on the ATM machine by applying glue or by inserting a pin or blade at the edge of the button. So when the customer tries to press the ‘Enter/OK’ button after entering his ATM PIN, the key does not function and the customer can’t proceed with his transaction. At this juncture the customer thinks that the machine is not working and tries to cancel the transaction, which also does not go through as that button is also jammed. Thinking that the transaction is cancelled, he leaves the ATM machine. As soon as the customer leaves or is prompted to visit the nearby ATM machine, the fraudster takes over the machine and since the transaction is active for around 30 seconds in most cases (some banks have reduced it to 20 seconds), he keeps the transaction active by pressing some functional buttons and in the meantime removes the glue or pin from the ‘Enter’ button to go ahead with the transaction. The fraudster then withdraws the cash from the customer’s account, leaving the customer unaware of the fraud till he checks the message from the bank.

Beware customers

A debit card holder should always remember that he has to conduct the ATM transactions in complete privacy and never let anyone see while entering the PIN (Personal Identification Number). If another person gets hold of the PIN and card number, he can do online transactions without your knowledge. After completion of transaction, the customer will have to ensure that welcome page is displayed on the ATM screen.

Banks advise their customers to use their ATMs as far as possible and change the PIN numbers one in two months. “We also advised them to use only HDFC Bank ATMs as we believe security controls at some of the other bank ATMs may not be at par with HDFC Bank’s. We take this opportunity to stress that all our customers use HDFC Bank ATMs only and also change ATM PINs from time to time to prevent misuse,” HDFC Bank said.

Customers are not supposed to write the PIN on the card or diaries. It’s always better to memorise the PIN number. The most important thing to remember is: Never disclose the PIN or card number to anyone, including bank employees and family members. Customers get mails and telephone calls from fraudsters — who claim they are from the bank — asking for card details. Fraudsters even masquerade as the RBI Governor for getting card details. But customers should not fall prey to such tricks.

While using the card, do not take help from strangers or hand over the card to anyone for using it. It can be easily swapped or cloned. “Always ensure that the card should not go out of your sight when you are making a payment. Also avoid speaking on the mobile phone while you are transacting. Ensure your current mobile number is registered with the bank so that you can get alerts for all your transactions. Beware of suspicious movements of people around the ATM or strangers trying to engage you in conversation,” said a bank official.

While dining out or at the petrol pump, customers should check if the card given back to him by the merchant after completion of the transaction is his genuine card or not. “Look for extra devices attached to the ATMs that may be put to capture your data. It can be a camera or some electronic device. Customer should inform the bank if the ATM or debit card is lost or stolen and immediately report if any unauthorised transaction. Check the transaction alert SMS and bank statements regularly,” he said.